CVE-2022-0391

7.5 HIGH

📋 TL;DR

This vulnerability in Python's urllib.parse module allows injection attacks via crafted URLs containing carriage return (\r) or line feed (\n) characters in the path component. Attackers can exploit this to manipulate URL parsing outcomes, potentially leading to various injection scenarios. This affects Python applications using urllib.parse for URL handling in vulnerable versions.

💻 Affected Systems

Products:

Python
Applications using Python's urllib.parse module

Versions: Python <3.10.0b1, <3.9.5, <3.8.11, <3.7.11, <3.6.14

Operating Systems: All operating systems running vulnerable Python versions

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using urllib.parse.urlparse() or related functions with user-controlled input is vulnerable. This includes web frameworks, APIs, and command-line tools.

📦 What is this software?

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Hci by Netapp

View all CVEs affecting Hci →

Hci Compute Node by Netapp

View all CVEs affecting Hci Compute Node →

Http Server by Oracle

View all CVEs affecting Http Server →

Http Server by Oracle

View all CVEs affecting Http Server →

Management Services For Element Software by Netapp

View all CVEs affecting Management Services For Element Software →

Ontap Select Deploy Administration Utility by Netapp

View all CVEs affecting Ontap Select Deploy Administration Utility →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Solidfire\, Enterprise Sds \& Hci Storage Node by Netapp

View all CVEs affecting Solidfire\, Enterprise Sds \& Hci Storage Node →

Zfs Storage Appliance Kit by Oracle

View all CVEs affecting Zfs Storage Appliance Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

CRLF injection leading to HTTP response splitting, cache poisoning, or injection of malicious headers that could enable cross-site scripting (XSS), session hijacking, or server-side request forgery (SSRF).

🟠

Likely Case

CRLF injection enabling HTTP response splitting or header injection in web applications that process user-supplied URLs, potentially leading to cache poisoning or limited XSS.

🟢

If Mitigated

Limited impact if input validation and output encoding are properly implemented, though the vulnerability still exists at the parsing layer.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept code is available in the Python bug tracker. Exploitation requires user-controlled input being passed to vulnerable functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Python 3.10.0b1, 3.9.5, 3.8.11, 3.7.11, 3.6.14 or later

Vendor Advisory: https://bugs.python.org/issue43882

Restart Required: Yes

Instructions:

1. Identify Python version with 'python --version'. 2. Update Python using package manager: 'apt update && apt upgrade python3' (Debian/Ubuntu) or 'yum update python3' (RHEL/CentOS). 3. Restart affected applications/services. 4. For compiled applications, recompile with patched Python.

🔧 Temporary Workarounds

Input validation for URLs

all

Sanitize user-supplied URLs before passing to urllib.parse by removing or rejecting CR/LF characters

import re
sanitized_url = re.sub(r'[\r\n]', '', user_input_url)

Use alternative parsing

all

Replace urllib.parse.urlparse() with custom validation or alternative libraries that handle CR/LF properly

🧯 If You Can't Patch

Implement strict input validation to reject URLs containing CR (\r) or LF (\n) characters
Use web application firewalls (WAF) with CRLF injection rules to block malicious requests

🔍 How to Verify

Check if Vulnerable:

Test with: python3 -c "from urllib.parse import urlparse; print(urlparse('http://example.com/path%0d%0aInjection:test'))" and check if CR/LF characters appear in parsed components

Check Version:

python --version  or  python3 --version

Verify Fix Applied:

After patching, same test should show CR/LF characters removed or properly handled in parsed output

📡 Detection & Monitoring

Log Indicators:

URLs containing %0d, %0a, \r, or \n in path components
Unusual HTTP headers or response splitting in web server logs

Network Indicators:

HTTP requests with encoded CR/LF characters in URLs
Abnormal HTTP responses with injected headers

SIEM Query:

source="web_logs" AND (url="*%0d*" OR url="*%0a*" OR url="*\\r*" OR url="*\\n*")

📊 Metadata

CVE ID: CVE-2022-0391

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-74

Published: February 9, 2022

Last Updated: December 17, 2025

🔗 References

https://bugs.python.org/issue43882 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20220225-0009/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
https://bugs.python.org/issue43882 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
https://lists.debian.org/debian-lts-announce/2025/03/msg00013.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20220225-0009/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory